vm module used to run code (JS/TS)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
vm.runInNewContext/runInThisContext/compileFunction execute a string as code. The vm module is not a security sandbox, so running any untrusted or assembled string here is code injection.
Why it matters
vm.runInNewContext and its siblings execute a string as JavaScript. The vm module is documented as not being a security mechanism, so code run there can reach the host process. Any untrusted or assembled source here is code injection. It is a heuristic because the source may be a trusted constant.
How to fix it
Do not run untrusted code with vm. If you need to evaluate user expressions, use a dedicated safe expression evaluator with a restricted grammar. If you must isolate code, use a real sandbox such as a separate process or a WebAssembly-based runtime, and never rely on vm for a trust boundary.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo